Outdated technology on U.S. credit cards an open invitation to fraudsters

Thursday

Jan 23, 2014 at 12:01 AMJan 23, 2014 at 6:19 AM

U.S. banks and retailers, a decade behind in deploying the secure, high-tech credit cards used elsewhere in the world, might take years to switch to a system that all but eliminates common types of fraud.

U.S. banks and retailers, a decade behind in deploying the secure, high-tech credit cards used elsewhere in the world, might take years to switch to a system that all but eliminates common types of fraud.

Under pressure from credit-card companies, major banks and retailers have begun to roll out the cards, which carry a computer chip and advanced security software that keeps the customer's account number and other details invisible even if crooks steal records from a store or bank.

But the conversion could take years to reach critical mass amid a squabble over who will foot the estimated $8 billion bill. This, despite fears that scammers have been targeting the United States because of its outdated technology. The nation's credit-card fraud rate, once the lowest in the world, has doubled in the 10 years since chip cards spread across Europe.

The theft of tens of millions of records from Target over the holiday-shopping season has focused attention on the United States as a weak link. Lawmakers are calling for faster action to secure systems, and law-enforcement agencies are investigating the huge security breach, which is thought to have been the work of sophisticated hackers abroad.

But taking even the obvious step of introducing state-of-the-art cards "will take time. ... The U.S. is the largest and the most-complex market to move, so that will influence the migration," said Carolyn Balfany, a senior vice president with MasterCard Worldwide. The card companies have said that as of late 2015, they will hold merchants or banks that have not moved to the chip-card system responsible for fraudulent purchases that the advanced cards would have prevented.

Balfany estimated that even by that deadline, the number of cards and terminals carrying the advanced technology might only be "in the midrange" - a vast improvement over the negligible numbers of chip cards and terminals now in place, but one that would still leave many consumers vulnerable.

Fraudulent purchases using fake credit cards or stolen numbers can be a nightmare for individuals. Consumers are protected under federal law from paying for the purchases but still must deal with the potential damage to their credit record and worry about the risk of more-serious forms of identity theft.

Across the country's sprawling retail economy, however, the cost has been relatively small - as little as $1.1 billion a year lost to the fraudulent transactions that chip cards are most likely to prevent, according to Federal Reserve data. Businesses have been willing to absorb that loss rather than invest in a new system.

In a 2012 Federal Reserve Bank of Atlanta study, payments-risk expert Douglas King concluded that the level of fraud in the United States was low enough that the business case for chip cards had "yet to fully crystallize."

The conversion also has been tangled in disputes between banks and retailers over the cost of payment processing - the "interchange" fees that merchants pay to accept credit cards - and the risk posed by other types of fraud, such as online scams, that chip cards cannot prevent.

The result: While the rest of the world has sped forward, U.S. shoppers remain at risk in a system where old-school magnetic-strip cards will remain the norm for perhaps several years. Unlike the chip-bearing cards, data from magnetic strips are easily read and exploited by hackers, who can use the information to make fake purchases, produce counterfeit cards or employ in other identity-theft schemes.

Banks typically are introducing chip-bearing cards as old ones expire, which means it could take as long as three years to complete the process, given the usual replacement cycle. The larger card issuers have announced no plans to speed up the process in the wake of the Target breach.

Large retailers such as Wal-Mart and Target, meanwhile, have invested in the new terminals needed to make use of the extra security that chip cards offer, but it's not clear how long smaller companies or mom-and-pop stores will take to convert.

In Western Europe, where the chip technology first developed, more than 90 percent of retail terminals and 80 percent of cards have been shifted to the chip-based system.

The technology has not eliminated fraud but has lead to a dramatic reduction in some staple criminal tactics. Chip cards are all but impossible to counterfeit, for example, and even if records are stolen from a central company computer or "skimmed" from a store terminal, the consumer's information is inaccessible.

"Even if you do a systems breach, it makes the data much less valuable," said Jack Jania, senior vice president for Gemalto North America, the U.S. subsidiary of a Dutch card-manufacturing company that makes about 2 billion credit, debit and other cards a year. Jania said stolen records from transactions involving chip-bearing cards sell on the black market for perhaps a tenth of what criminals will pay for records derived from magnetic strips.